syzbot

 sign-in | mailing list | source | docs
🐞 Open [717]
🐞 Fixed [181]
🐞 Invalid [640]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

BUG: soft lockup in inet_sendmsg

Status: auto-closed as invalid on 2022/08/03 16:05
Reported-by: syzbot+9014e32c5c57f53253b3@syzkaller.appspotmail.com
First crash: 962d, last: 962d
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 BUG: soft lockup in inet_sendmsg 74 656d 993d 0/1 upstream: reported on 2022/03/05 20:29
upstream INFO: rcu detected stall in inet_sendmsg (4) net 1 772d 772d 0/28 auto-obsoleted due to no activity on 2023/01/16 15:35
upstream INFO: rcu detected stall in inet_sendmsg (3) perf syz error error 68 942d 1580d 0/28 auto-obsoleted due to no activity on 2022/10/08 22:05

Sample crash report:
watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [syz-executor.4:12011]
Modules linked in:
irq event stamp: 1891341
hardirqs last  enabled at (1891340): [<ffffffff817eb6b0>] slab_alloc_node mm/slab.c:3327 [inline]
hardirqs last  enabled at (1891340): [<ffffffff817eb6b0>] kmem_cache_alloc_node_trace+0x2f0/0x400 mm/slab.c:3659
hardirqs last disabled at (1891341): [<ffffffff874018ae>] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:793
softirqs last  enabled at (156116): [<ffffffff862860ef>] ipt_do_table+0xb7f/0x16f0 net/ipv4/netfilter/ip_tables.c:362
softirqs last disabled at (156118): [<ffffffff860de14f>] lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline]
softirqs last disabled at (156118): [<ffffffff860de14f>] ip_finish_output2+0x23f/0x1340 net/ipv4/ip_output.c:221
CPU: 0 PID: 12011 Comm: syz-executor.4 Not tainted 4.14.275-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8880b19682c0 task.stack: ffff888096bc0000
RIP: 0010:memcmp+0x46/0xb0 lib/string.c:918
RSP: 0018:ffff888096bc5858 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff10
RAX: 0000000000000000 RBX: ffff888096bc5a83 RCX: 0000000000000002
RDX: 0000000000000003 RSI: ffff8880b4d8e4e3 RDI: ffff888096bc58f8
RBP: dffffc0000000000 R08: 0000000000000000 R09: 0000000000000009
R10: 0000000000000000 R11: ffff8880b19682c0 R12: ffff888096bc5ab8
R13: 0000000000000038 R14: ffff888096bc58f8 R15: ffff8880b4d8e340
FS:  00007f5171245700(0000) GS:ffff8880ba400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2eb2f000 CR3: 0000000097e2c000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 find_stack lib/stackdepot.c:180 [inline]
 depot_save_stack+0x10d/0x3f0 lib/stackdepot.c:229
 save_stack mm/kasan/kasan.c:453 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0x139/0x160 mm/kasan/kasan.c:551
 slab_post_alloc_hook mm/slab.h:442 [inline]
 slab_alloc_node mm/slab.c:3333 [inline]
 kmem_cache_alloc_node_trace+0x13d/0x400 mm/slab.c:3659
 __do_kmalloc_node mm/slab.c:3681 [inline]
 __kmalloc_node_track_caller+0x38/0x70 mm/slab.c:3696
 __kmalloc_reserve net/core/skbuff.c:137 [inline]
 __alloc_skb+0x96/0x510 net/core/skbuff.c:205
 skb_segment+0x677/0x2e60 net/core/skbuff.c:3683
 sctp_gso_segment net/sctp/offload.c:76 [inline]
 sctp_gso_segment+0x204/0x810 net/sctp/offload.c:43
 inet_gso_segment+0x487/0x10f0 net/ipv4/af_inet.c:1272
 inet_gso_segment+0x487/0x10f0 net/ipv4/af_inet.c:1272
 skb_mac_gso_segment+0x240/0x4c0 net/core/dev.c:2745
 __skb_gso_segment+0x302/0x600 net/core/dev.c:2818
 skb_gso_segment include/linux/netdevice.h:4003 [inline]
 validate_xmit_skb+0x49c/0x9f0 net/core/dev.c:3071
 validate_xmit_skb_list+0xaf/0x110 net/core/dev.c:3122
 sch_direct_xmit+0x2dc/0x500 net/sched/sch_generic.c:181
 qdisc_restart net/sched/sch_generic.c:249 [inline]
 __qdisc_run+0x25d/0xe00 net/sched/sch_generic.c:257
 __dev_xmit_skb net/core/dev.c:3231 [inline]
 __dev_queue_xmit+0x13ac/0x2480 net/core/dev.c:3489
 neigh_hh_output include/net/neighbour.h:490 [inline]
 neigh_output include/net/neighbour.h:498 [inline]
 ip_finish_output2+0x9db/0x1340 net/ipv4/ip_output.c:237
 ip_finish_output+0x37c/0xc50 net/ipv4/ip_output.c:325
 NF_HOOK_COND include/linux/netfilter.h:239 [inline]
 ip_output+0x1cd/0x510 net/ipv4/ip_output.c:413
 dst_output include/net/dst.h:470 [inline]
 ip_local_out+0x93/0x170 net/ipv4/ip_output.c:125
 iptunnel_xmit+0x5cc/0x950 net/ipv4/ip_tunnel_core.c:91
 ip_tunnel_xmit+0xedc/0x33e0 net/ipv4/ip_tunnel.c:799
 sit_tunnel_xmit__ net/ipv6/sit.c:1006 [inline]
 sit_tunnel_xmit+0x1ab/0x2130 net/ipv6/sit.c:1019
 __netdev_start_xmit include/linux/netdevice.h:4052 [inline]
 netdev_start_xmit include/linux/netdevice.h:4061 [inline]
 xmit_one net/core/dev.c:3005 [inline]
 dev_hard_start_xmit+0x188/0x890 net/core/dev.c:3021
 __dev_queue_xmit+0x1d7f/0x2480 net/core/dev.c:3521
 neigh_output include/net/neighbour.h:500 [inline]
 ip_finish_output2+0xba6/0x1340 net/ipv4/ip_output.c:237
 ip_finish_output+0x37c/0xc50 net/ipv4/ip_output.c:325
 NF_HOOK_COND include/linux/netfilter.h:239 [inline]
 ip_output+0x1cd/0x510 net/ipv4/ip_output.c:413
 dst_output include/net/dst.h:470 [inline]
 ip_local_out+0x93/0x170 net/ipv4/ip_output.c:125
 nf_dup_ipv4 net/ipv4/netfilter/nf_dup_ipv4.c:91 [inline]
 nf_dup_ipv4+0x4bb/0x680 net/ipv4/netfilter/nf_dup_ipv4.c:53
 tee_tg4+0x109/0x160 net/netfilter/xt_TEE.c:36
 ipt_do_table+0xa9d/0x16f0 net/ipv4/netfilter/ip_tables.c:353
 iptable_filter_hook+0x172/0x1e0 net/ipv4/netfilter/iptable_filter.c:47
 nf_hook_entry_hookfn include/linux/netfilter.h:108 [inline]
 nf_hook_slow+0xb0/0x1a0 net/netfilter/core.c:468
 nf_hook include/linux/netfilter.h:205 [inline]
 __ip_local_out+0x398/0x730 net/ipv4/ip_output.c:114
 ip_local_out+0x25/0x170 net/ipv4/ip_output.c:123
 iptunnel_xmit+0x5cc/0x950 net/ipv4/ip_tunnel_core.c:91
 ip_tunnel_xmit+0xedc/0x33e0 net/ipv4/ip_tunnel.c:799
 ipgre_xmit+0x412/0x780 net/ipv4/ip_gre.c:672
 __netdev_start_xmit include/linux/netdevice.h:4052 [inline]
 netdev_start_xmit include/linux/netdevice.h:4061 [inline]
 xmit_one net/core/dev.c:3005 [inline]
 dev_hard_start_xmit+0x188/0x890 net/core/dev.c:3021
 __dev_queue_xmit+0x1d7f/0x2480 net/core/dev.c:3521
 neigh_connected_output+0x39c/0x580 net/core/neighbour.c:1398
 neigh_output include/net/neighbour.h:500 [inline]
 ip_finish_output2+0xba6/0x1340 net/ipv4/ip_output.c:237
 ip_finish_output+0x37c/0xc50 net/ipv4/ip_output.c:325
 NF_HOOK_COND include/linux/netfilter.h:239 [inline]
 ip_output+0x1cd/0x510 net/ipv4/ip_output.c:413
 dst_output include/net/dst.h:470 [inline]
 ip_local_out+0x93/0x170 net/ipv4/ip_output.c:125
 ip_send_skb+0x3a/0xc0 net/ipv4/ip_output.c:1431
 udp_send_skb+0x601/0xb70 net/ipv4/udp.c:833
 udp_sendmsg+0x15a1/0x1c80 net/ipv4/udp.c:1057
 udpv6_sendmsg+0x12ea/0x2560 net/ipv6/udp.c:1193
 inet_sendmsg+0x11a/0x4e0 net/ipv4/af_inet.c:762
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb5/0x100 net/socket.c:656
 ___sys_sendmsg+0x326/0x800 net/socket.c:2062
 __sys_sendmmsg+0x129/0x330 net/socket.c:2152
 SYSC_sendmmsg net/socket.c:2183 [inline]
 SyS_sendmmsg+0x2f/0x50 net/socket.c:2178
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f51728f1049
RSP: 002b:00007f5171245168 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f5172a04030 RCX: 00007f51728f1049
RDX: 0400000000000132 RSI: 0000000020004d80 RDI: 000000000000000e
RBP: 00007f517294b08d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000004000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe80807faf R14: 00007f5171245300 R15: 0000000000022000
Code: 83 ec 10 eb 0d 48 83 c3 01 48 83 c6 01 49 39 dc 74 45 48 89 d8 48 89 da 48 c1 e8 03 83 e2 07 0f b6 04 28 38 d0 7f 04 84 c0 75 54 <48> 89 f2 48 89 f1 0f b6 03 48 c1 ea 03 83 e1 07 0f b6 14 2a 38 
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 7986 Comm: syz-executor.3 Not tainted 4.14.275-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff88808f712540 task.stack: ffff8880a26b8000
RIP: 0010:__read_once_size include/linux/compiler.h:185 [inline]
RIP: 0010:__read_seqcount_begin include/linux/seqlock.h:113 [inline]
RIP: 0010:raw_read_seqcount_begin include/linux/seqlock.h:148 [inline]
RIP: 0010:read_seqcount_begin include/linux/seqlock.h:165 [inline]
RIP: 0010:get_counters+0x46a/0x5d0 net/ipv6/netfilter/ip6_tables.c:797
RSP: 0018:ffff8880a26bfbd8 EFLAGS: 00000297
RAX: ffff88808f712540 RBX: ffffe8ffffcd8000 RCX: 1ffff11011ee25bd
RDX: 0000000000000000 RSI: ffff88808f712dc8 RDI: 0000000000000297
RBP: ffff88809315adc0 R08: ffffffff8b9af9c8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000003
R13: ffff8880ba433600 R14: ffffed10174866c0 R15: dffffc0000000000
FS:  00005555573f0400(0000) GS:ffff8880ba500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555557205848 CR3: 00000000ab314000 CR4: 00000000003406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 do_arpt_get_ctl+0x412/0x6d0 net/ipv4/netfilter/arp_tables.c:662
 nf_sockopt net/netfilter/nf_sockopt.c:104 [inline]
 nf_getsockopt+0x62/0xc0 net/netfilter/nf_sockopt.c:122
 ip_getsockopt net/ipv4/ip_sockglue.c:1566 [inline]
 ip_getsockopt+0x105/0x150 net/ipv4/ip_sockglue.c:1551
 tcp_getsockopt+0x7b/0xc0 net/ipv4/tcp.c:3259
 SYSC_getsockopt net/socket.c:1896 [inline]
 SyS_getsockopt+0x102/0x1c0 net/socket.c:1878
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x7f1e2dd9766a
RSP: 002b:00007ffee97f5da8 EFLAGS: 00000212 ORIG_RAX: 0000000000000037
RAX: ffffffffffffffda RBX: 00007ffee97f5dbc RCX: 00007f1e2dd9766a
RDX: 0000000000000061 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 0000000000000003 R08: 00007ffee97f5dbc R09: ff00000000000000
R10: 00007ffee97f5e10 R11: 0000000000000212 R12: 00007ffee97f5e10
R13: 000000000001d7a7 R14: 0000000000000005 R15: 00007ffee97f6520
Code: ff e8 4b b4 2b fb 0f 0b e8 44 b4 2b fb 0f 0b 4d 89 ee 4d 89 ec 49 c1 ee 03 41 83 e4 07 4d 01 fe 41 83 c4 03 e8 28 b4 2b fb f3 90 <41> 0f b6 06 41 38 c4 7c 08 84 c0 0f 85 3f 01 00 00 41 8b 45 00 
----------------
Code disassembly (best guess):
   0:	83 ec 10             	sub    $0x10,%esp
   3:	eb 0d                	jmp    0x12
   5:	48 83 c3 01          	add    $0x1,%rbx
   9:	48 83 c6 01          	add    $0x1,%rsi
   d:	49 39 dc             	cmp    %rbx,%r12
  10:	74 45                	je     0x57
  12:	48 89 d8             	mov    %rbx,%rax
  15:	48 89 da             	mov    %rbx,%rdx
  18:	48 c1 e8 03          	shr    $0x3,%rax
  1c:	83 e2 07             	and    $0x7,%edx
  1f:	0f b6 04 28          	movzbl (%rax,%rbp,1),%eax
  23:	38 d0                	cmp    %dl,%al
  25:	7f 04                	jg     0x2b
  27:	84 c0                	test   %al,%al
  29:	75 54                	jne    0x7f
* 2b:	48 89 f2             	mov    %rsi,%rdx <-- trapping instruction
  2e:	48 89 f1             	mov    %rsi,%rcx
  31:	0f b6 03             	movzbl (%rbx),%eax
  34:	48 c1 ea 03          	shr    $0x3,%rdx
  38:	83 e1 07             	and    $0x7,%ecx
  3b:	0f b6 14 2a          	movzbl (%rdx,%rbp,1),%edx
  3f:	38                   	.byte 0x38

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/04/05 16:04 linux-4.14.y 74766a973637 0127c10f .config console log report info ci2-linux-4-14 BUG: soft lockup in inet_sendmsg
* Struck through repros no longer work on HEAD.